Skip to content

Mysql-restic template to aligned with changed pod security on OCP-4.12 #1122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 8, 2023
Merged

Mysql-restic template to aligned with changed pod security on OCP-4.12 #1122

merged 3 commits into from
Aug 8, 2023

Conversation

hhpatel14
Copy link
Contributor

@hhpatel14 hhpatel14 commented Aug 8, 2023
edited
Loading

Restic does not change file permission after restore. The reason it deployment was not ready on 4.12 because of change in pod security restricted:v1.24.

          securityContext:
            runAsGroup: 27
            runAsUser: 27
            fsGroup: 27
            privileged: false

When privileged: false, deployment try to set permission to GID 27. However, 27 is an invalid value. Therefore Deployment is not ready within set ”Progress deadline seconds”. Error: provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{27}: 27 is not an allowed group, spec.containers[0].securityContext.runAsUser: Invalid value: 27: must be in the ranges: [1000800000, 1000809999]

When privileged: true, deployment will not try to set permission to GID 27. Therefore, this error disappeared in previous patch (https://github.com/openshift/oadp-operator/pull/1113/files ). However, this is not the reliable solution.

This patch removes GID 27, and keeps privileged: false
Other changes were just warnings when creating deployment. It was not the failure in creating pod. However, it is good that have. https://access.redhat.com/solutions/7002730

Example warnings:
W0807 22:16:26.493591 84515 warnings.go:70] unknown field "spec.template.spec.containers[0].securityContext.fsGroup" W0807 22:16:26.493950 84515 warnings.go:70] unknown field "spec.template.spec.securityContext.privileged" W0807 22:16:26.493961 84515 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "mysql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "mysql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "mysql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "mysql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 8, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2023
@openshift-ci openshift-ci bot requested review from kaovilai and sseago August 8, 2023 03:25
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2023
@hhpatel14
Copy link
Contributor Author

/retest

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2023
mpryc
mpryc reviewed Aug 8, 2023
View reviewed changes
Copy link
Contributor

@mpryc mpryc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about mysql-persistent-csi.yaml ?

@mpryc mpryc mentioned this pull request Aug 8, 2023
Closed
@hhpatel14 hhpatel14 changed the title [WIP] Mysql restic failures Mysql-restic template to aligned with changed pod security on OCP-4.12 Aug 8, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 8, 2023
@hhpatel14
Copy link
Contributor Author

What about mysql-persistent-csi.yaml ?

mysql-persistent-csi has not failed yet because privileged: true. I will test csi template manually on 4.12 and make similar changes.

@hhpatel14
Copy link
Contributor Author

/test 4.11-operator-e2e-gcp

@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

@hhpatel14: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci
Copy link

openshift-ci bot commented Aug 8, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hhpatel14, sseago

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sseago
Copy link
Contributor

sseago commented Aug 8, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 8, 2023
@kaovilai
Copy link
Member

kaovilai commented Aug 8, 2023 

Invalid value: 27: must be in the ranges: [1000800000, 1000809999]

Is a securityContextConstraints feature since older OCP versions.

@kaovilai
Copy link
Member

kaovilai commented Aug 8, 2023

I would recommend reviewing how to allow customers to use 27 by setting up SCCs to allow exceptions.

@openshift-merge-robot openshift-merge-robot merged commit 87a7c8f into openshift:oadp-1.2 Aug 8, 2023
@kaovilai kaovilai mentioned this pull request Aug 8, 2023
Closed
2 tasks
hhpatel14 added a commit to hhpatel14/oadp-operator that referenced this pull request Aug 10, 2023
@hhpatel14
Mysql-restic template to aligned with changed pod security on OCP-4.12 (
f08f9c9 
openshift#1122)

* Mysql restic e2e test failure on ocp4.12

* GID 27 is not allowed
@hhpatel14 hhpatel14 mentioned this pull request Aug 10, 2023
Merged
openshift-merge-robot pushed a commit that referenced this pull request Aug 10, 2023
@hhpatel14
Mysql-restic template to aligned with changed pod security on OCP-4.12 (
4148c32 
#1122) (#1124)

* Mysql restic e2e test failure on ocp4.12

* GID 27 is not allowed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpryc mpryc mpryc left review comments

@sseago sseago sseago approved these changes

@kaovilai kaovilai Awaiting requested review from kaovilai

Assignees

@sseago sseago

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hhpatel14 @sseago @kaovilai @mpryc @openshift-merge-robot